GLG Security Controls And Disaster Recovery Policies Summary
Information Technology Security Leadership
Information Technology Security governance is adopted at all levels of the organization. GLG’s leadership is committed to the security program objectives, policies, and standards. This top-down approach establishes the governance criteria for how GLG protects the data received, processed, transmitted, and stored (see Table 1). GLG has established a Technology Security Committee to oversee Information Security culture, policies, and practices, which include, among other things, the following:
1. Physical Access Controls
- GLG uses cloud services to host all business-critical services and applications, which are located at facilities with 24-hour security personnel, restricted photo identification, and key card access.
- Access to GLG facilities and sensitive areas is restricted to employees and other authorized persons and access to facility resources is granted based job responsibilities.
- GLG maintains and controls access to all areas by using a preapproved list, managed by a central information system.
- GLG’s management reviews the accuracy and appropriateness of physical access rights and access is removed once an employee leaves GLG.
- Audit trails are kept of all admissions in and out of all buildings and server rooms. Audit trails are maintained and reviewed by security from hosting center management and audit personnel on a periodic and need to know basis.
- Entry and exit points at all GLG facilities, including sensitive areas, are monitored, and recorded by surveillance cameras.
2. Logical Access Controls
User Access Management:
- Access to infrastructure assets is limited to authorized members of the Engineering and Technology team following a “least-privilege principle.” Access requests for the creation of new users are logged, approved, and reviewed quarterly – following a defined Logical Access Policy.
- A formal audit review of all users’ access and authorizations are performed quarterly. This review recertifies that access and permissions for end users and privilege IT users correspond correctly to the relevant role.
- A dedicated GLG team is responsible for granting, denying, cancelling, and terminating user access. This follows provisioning and deprovisioning processes for access to GLG facilities and information systems.
- Administrative access is limited authorized technology employee’s and requires a secure connection through GLG’s bastion VPN with multifactor authentication.
Access to GLG Applications:
- Identity access control and management are based on a central directory and consists of hybrid implementation of Active Directory (AD) and Azure Active Directory.
- Appropriate procedures have been established to add, modify, and delete users in a timely manner. These procedures reduce the risk of unauthorized and inappropriate access to systems and applications. Only authenticated users have authorization to initiate and submit requests before being routed to the appropriate GLG group for processing. Logical segregation is implemented with role based rights and privileges management to restrict access to data only for business needs.
Authentication:
- Passwords are issued in accordance with established industry standards. All users are required to reset password upon initial login and changed periodically.
- GLG requires unique user IDs and complex passwords consisting of the following:
- Minimum length: 8 characters
- Maximum age: 60 days
- Minimum password age: 1 day
- Reuse of passwords remembered: 8
- Require 3 of the following character types: lowercase, uppercase, numeric, special characters
- GLG requires multifactor authentication to systems and applications.
- Where possible, web applications will use SAML 2.0 Single Sign on (SSO).
3. Data Storage, Transmission, and Retention Controls
Data Transmission:
- External data transmissions between GLG systems and applications are secured via one of the following internet security protocols: Private Leased Line, IPSEC VPN, MPLS, HTTPS/SSL, TLS, SSH or equivalent encryption methods to secure data in transit.
- All information is transferred between authorized information systems and resources and is only exchanged through GLG’s secure and authorized transfer mechanisms.
- GLG prohibits the use of unapproved non-secured external messaging systems and file share sites for transmitting data.
- Messaging systems are protected by industry standard spam, phishing, and malware filtering.
Data Storage:
- The data estate resides across cloud infrastructure including SQL Servers in AWS on EC2, Azure SQL Database, and Amazon RDS
- The infrastructure leverages MongoDB on Atlas and Snowflake integration
Data Retention:
- GLG enforces a retention policy that keeps internal data for 15 months (one year three months)
- Business and personal data are kept indefinitely
4. Systems Security Controls
Production Systems:
- GLG systems and applications are architected with industry-standard security best practices and are regularly scanned for vulnerabilities. Computer system protection includes:
- OS hardening
- Vendor supplied patches
- Intrusion Detection
- Web Application Firewalls
- Centralized logging and monitoring
- Network firewall ACL configured for least privilege
End User Systems:
- GLG end user computers are configured with Industry-standard security best practices. Host based security systems include:
- Antivirus/Malware agents
- Web content filtering
- Secured software deployment and patch management
- Full disk encryption
- Automatic screen lockout
- Restricted administrator and software installation privileges
- Restricted write access to removable storage devices
Mobile Devices:
- GLG’s adherence to the mobile device policy is enforced before any device is granted access to information. The policy includes the following criteria:
- Minimum 6 character password
- Hardware encryption
- Screen lockout (5 minutes)
- Jailbroken devices are not permitted
5. Network Security and Controls
- GLG maintains security of all network communication by using encryption, segmentation of domains, and Virtual Private Network technology. There is a defined policy to manage access over the internet: e-commerce, employee internet access, email, dedicated communication for business to business connections, wireless networks, and external sources. GLG delivers all core business and services using Amazon Web Services (AWS), leveraging a robust cloud infrastructure that ensures:
- High network availability to global customers
- Fast and responsive business solutions
- Secure data and systems (ensuring confidentiality, integrity, and availability)
Wireless Access and Controls:
- Employee and Visitor wireless networks are segregated and have unique Service Set Identifiers (SSID).
- Alphanumeric passwords are configured for no less than 10 character length.
- Wireless access to internal network resources is protected by using MAC-Based s Access Control Lists (ACL).
6. System and Application Monitoring Controls
- GLG implements a central and read-only logging system with event correlation and alerting for all production and critical applications. This system captures at a minimum:
- When (Timestamp)
- Who (user, operator, or administrator)
- What (information about the event)
- Logs are configured to track:
- Authorized access
- Privileged operations
- Unauthorized access attempts
- Systems alerts or failures
- Changes to systems security settings
7. Availability Controls
Backup Management:
- GLG maintains secure offsite data back-ups of production information and retains:
Primary:
– 7 Days
– 30 Days
Secondary:
– 7 Days
– 30 Days
– 13 Months
– Monthly forever (taken on first day of month)Transaction Logs:
– 7 Days
– 30 Days
- GLG backup data is synchronized between AWS regions.
Disaster Recovery:
- A standard disaster recovery operating procedure contains detailed plans to address restoration processes for GLG’s mission critical systems, based on the following scenarios:
- Loss of facilities
- Loss of systems
- Loss of key third party systems
- GLG uses cloud services to host all business critical services and applications. GLG evaluates the redundancies and Service Level Agreements (SLA) of each vendor to maintain availability of service. GLG critical infrastructure includes:
- Amazon AWS (critical applications and databases)
- Salesforce – Client and Council Member contacts, project data, compliance
- Microsoft Office 365 – Email and secure document collaboration
- GitHub – Code repository
- Mimecast – Email archiving and redundancy
- GLG utilizes AWS regions and availability zones to achieve high availability for the systems and applications it builds.
- Employees are equipped with GLG issued laptops providing the ability to work remotely from any location.
- A complete list of sub processors can be found in Table 2, List of Public Administrative Resources.
8. Incident Management
- In the event of a cybersecurity incident, an established response team will activate the incident response plan to respond and recover critical systems. This plan is accomplished through coordination with various stakeholders, including critical system owners, and defined change management policy. This plan addresses the following:
- Escalations based on the incident classification or severity
- Contact list for incident reporting, escalation, and stakeholder service continuity
- Procedures and guidelines for analysis, response, and recovery
- Compliance with applicable security breach notification laws
- Incident log
- System assessment and authorization
- Issue resolution, reporting, and review
9. Audits & Assessments of Internal Security
Controls Audits:
- Quarterly reviews are conducted by the internal audit team to assess compliance with established controls, policies, and technical measures. The assessments are performed under the following parameters:
- Measure systems security against audit checklists, external standards, and regulations
- Analysis and reporting on gaps in security controls
- Recommend implementation of corrective measures
- Conclusions and recommendations for process improvements
Continuous Vulnerability Assessments:
- GLG partners with a third party managed security service provider (MSSP) to analyze, and report on vulnerabilities and perform assessments on it production environment. The service provided consists of:
- Regular updates to inventory of systems
- Monitoring system and network security configurations
- Monitoring system and platform access control
- System and application vulnerability scans
- Threat informed defense
- Reporting, analysis of findings, and mitigation are performed weekly.